TravianZ

xinyin025/TravianZ

Fork 0

mirror of https://github.com/Shadowss/TravianZ.git synced 2026-06-30 01:24:23 +00:00

Commit Graph

Author	SHA1	Message	Date
Ferywir	8c1a6ad05b	fix(admin): render a proper error page instead of a blank page on denial [#299 ] (#307 ) Issue #299: posting to an admin Mod (eg editBuildings.php) could show an essentially blank page. The admin panel and the game share the same PHP session, so a game logout (session_destroy) — or a mobile browser dropping the session cookie / serving a cached form with a stale token — wipes the admin session. The Mod then stopped on a bare die('<h1>Access Denied</h1>') (or the 403 die() in csrf_verify()), which renders as a blank/broken page outside the panel. Add a shared admin_deny() helper in GameEngine/Admin/csrf.php that renders a clean, self-contained, styled error page (with a "Return to Admin Panel" link) and a no-store header, then exits. Wire it into csrf_verify() and replace every bare "Access Denied" die() across the 42 admin Mods. Each Mod now loads csrf.php at the top so admin_deny() is available before its first access check. This is the presentation fix Shadow asked for ("we must receive an error not blank page"). The deeper root cause (admin and game sharing one PHP session) is left for a follow-up: giving the admin panel its own session cookie name. Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-29 10:25:18 +03:00
Ferywir	6472b30bd2	fix(admin): verify CSRF token in message admin Mods [#139 ] (#264 ) sendMessage, massmessage and sysmessage are POSTed to directly, bypassing admin.php's central csrf_verify(). Add csrf_verify() (after the admin access check, via the shared GameEngine/Admin/csrf.php) and csrf_field() in their forms (Newmessage.tpl, massmessage.tpl, sysmessage.tpl; the mass/sys templates have both a prepare and an execute form). Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-23 11:49:32 +03:00
TravianZ Patcher	903c4a3285	Add missing handler for admin "Create System Message" The admin panel had a "Create System Message" page (admin.php?p=sysmessage -> Admin/Templates/sysmessage.tpl) whose form posts to GameEngine/Admin/Mods/sysmessage.php, but that backend file never existed, so submitting returned a 404 (Not Found). Add the handler implementing the prepare -> confirm -> execute flow used by the template. On execute it displays a global system message to all players using the existing mechanism (writes Templates/text.tpl from text_format.tpl and sets users.ok = 1), same as the legacy sysmsg.php. %TEKST% is escaped for the PHP double-quoted string context to avoid breakage/injection. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-04 07:34:57 +02:00

Author

SHA1

Message

Date

Ferywir

8c1a6ad05b

fix(admin): render a proper error page instead of a blank page on denial [#299 ] (#307 )

Issue #299: posting to an admin Mod (eg editBuildings.php) could show an
essentially blank page. The admin panel and the game share the same PHP
session, so a game logout (session_destroy) — or a mobile browser dropping the
session cookie / serving a cached form with a stale token — wipes the admin
session. The Mod then stopped on a bare die('<h1>Access Denied</h1>') (or the
403 die() in csrf_verify()), which renders as a blank/broken page outside the
panel.

Add a shared admin_deny() helper in GameEngine/Admin/csrf.php that renders a
clean, self-contained, styled error page (with a "Return to Admin Panel" link)
and a no-store header, then exits. Wire it into csrf_verify() and replace every
bare "Access Denied" die() across the 42 admin Mods. Each Mod now loads
csrf.php at the top so admin_deny() is available before its first access check.

This is the presentation fix Shadow asked for ("we must receive an error not
blank page"). The deeper root cause (admin and game sharing one PHP session) is
left for a follow-up: giving the admin panel its own session cookie name.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-29 10:25:18 +03:00

Ferywir

6472b30bd2

fix(admin): verify CSRF token in message admin Mods [#139 ] (#264 )

sendMessage, massmessage and sysmessage are POSTed to directly, bypassing
admin.php's central csrf_verify(). Add csrf_verify() (after the admin access
check, via the shared GameEngine/Admin/csrf.php) and csrf_field() in their
forms (Newmessage.tpl, massmessage.tpl, sysmessage.tpl; the mass/sys templates
have both a prepare and an execute form).

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-23 11:49:32 +03:00

TravianZ Patcher

903c4a3285

Add missing handler for admin "Create System Message"

The admin panel had a "Create System Message" page (admin.php?p=sysmessage
-> Admin/Templates/sysmessage.tpl) whose form posts to
GameEngine/Admin/Mods/sysmessage.php, but that backend file never existed,
so submitting returned a 404 (Not Found).

Add the handler implementing the prepare -> confirm -> execute flow used by
the template. On execute it displays a global system message to all players
using the existing mechanism (writes Templates/text.tpl from
text_format.tpl and sets users.ok = 1), same as the legacy sysmsg.php.
%TEKST% is escaped for the PHP double-quoted string context to avoid
breakage/injection.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-04 07:34:57 +02:00

3 Commits